BitLocker tips and tricks

BitLocker tips and tricks

In this post, I will be talking about couple of BitLocker tips and tricks, killer mistakes and some resources that you can use for your deployments.

BitLocker User Guide

One of BitLocker tips is to prepare a user guide for using BitLocker in your enterprise. One of the most important things when you decide to roll out BitLocker at your corporate, is simply communicating this to your business users. Not only they deserve to know about encryption on their laptops, they should be aware of this encryption and need to know what to do when for example they forget the start-up PIN. They should also be aware not to share or write down the BitLocker start-up PIN if any, and that they shall not disable encryption on their machines if they have administrative rights.

I created a sample BitLocker User Guide for you to look at, and help you writing your own. The guide contains the following sections:

What is BitLocker?

Will I notice a difference?

How BitLocker works?

Creating your pin

Changing the PIN

What if I forget my PIN?

Protecting Data drives with BitLocker

Protecting USB drives with BitLocker

Standby Mode (Sleep Option)

Will BitLocker effect performance of my laptop?

Removing BitLocker protection Policy

BitLocker killer mistake

Assumptions

You have BitLocker deployment where you backup your BitLocker recovery key to Active Directory.

The wrong thing

When you format a computer, you go to AD, delete the computer account, and create a new one, then you join the formatted machine to domain! Killer mistake.

The right thing

When you format a computer, you go to AD, (RESET THE COMPUTER ACCOUNT) , and then join the formatted machine to machine!

What can go wrong if I delete computer account

When you enable BitLocker on a computer drive, the machine will write BitLocker recovery information on the computer account in AD. So if you delete a computer account, you will delete all BitLocker recovery information. Instead resetting computer account will not.

Common Mistake Scenario

A computer with C and D drives with BitLocker enabled on both of them. You backed up everything in the C drive and since the C drive is big enough, you decided to keep the D drive as is, and only format the C drive.

You start installing Windows on C drive, you deleted the computer account from AD, and then you created a new one. Then you join the machine to domain, and enable BitLocker on the C drive.

Now you noticed the D drive is encrypted. You go to AD to find a recovery information for that drive. The surprise is that there is no recovery information for the D drive, since you deleted the computer account and created a new one. Good luck with that.

Remember to always reset computer accounts instead of the old habit of deleting them.

BitLocker issues you may face

Problems

Case 1: What will happen if you rejoin a BitLocker protected computer to the domain

Case 2: Renaming a computer which has BitLocker

Case 3: Computer was used by user1, user1 resigned, so you reset his computer account in AD, reformatted the machine, join it to domain and re-enabled BitLocker on it

Case 4: deleting computer which has BitLocker from AD

Case 5: Enabling BitLocker before joining the machine to the domain

Case 6: divergence happened, you have a domain joined machine with BitLocker enabled, and in AD you do not have recovery information for that computer.

Solutions

Case 1,2

If you rename a computer which has BitLocker already turned ON, or If you re-joined a BitLocker encrypted machine to the domain , nothing will happen to the BitLocker recovery information in Active Directory. You can still see them as per Microsoft blog post.

Case 3

Since the computer object was reset, and not deleted (recommended way), then you will see accumulative BitLocker information under the computer object for the volume encryption keys when the machine was owned by user1, and the volume recovery keys after the format. Nothing bad about this from my point of view.

Case 4

If you deleted a computer object that has BitLocker information on it, then both the computer object and the BitLocker recovery information are moved to the AD recycle Bin if you AD recycle bin enabled. Nevertheless, the links between the computer object and the child objects are broken.

Case 5 , 6

Enabling BitLocker before joining the machine to the domain, means that the BitLocker recovery keys for that machine are not stored in Active Directory and this is very dangerous and risky.

This also can happen if BitLocker was enabled and there was no network connectivity to the domain at that moment. Another possibility is that group policy settings to save recovery information to AD was not enabled at the time of encryption.

To ask your machine to backup its recovery keys to Active Directory, do the following steps for each encrypted volume on the machine:

Go to that machine, open CMD using elevated admin rights and type the following command to show BitLocker protectors for the C drive:

1

manage-bde-protectors-getc:

Search for the Numerical Password item, and copy the ID value. In the below screen shot, the ID value is {21E15846-E03B-4D01-9B98-58A662586947}. This represents the ID of the value that we want to backup to AD. The value it self exist in the Password field. I hide that field from the screenshot for privacy reasons. Anyway, we only need the ID value.

Reason

Going back to basics. Do you know where the BitLocker information is stored for a computer object ? They are stored as a child object below the computer object itself.

Now, when the computer get deleted from Active Directory and moved to the AD recycle bin, the links between the child objects and the parent are broken. In the AD recycle bin you will see both computer objects and child objects randomly stored there. If you put your hand in this recycle bin and pull a computer object, you will not see any of its child objects attached to it any more. This is exactly what happened when you restored the AD computer from recycle bin, you will get the computer object without its child objects.

Solution

Lucky for all of us, each child objects of type (BitLocker Recovery Information) will have an attribute called (lastKnownParent). So theoretically if you go to the recycle bin and asked ” I have a parent called ComputerX, so which of you guys are the sons of this computer (which of you has the lastknownParent = ComputerX).

Download Script

Go to your Domain Controller or any machine with Active Directory PowerShell Module, open PowerShell using a domain administrator account (only domain admin can restore from AD recycle bin), run the script from there. Make sure AD PowerShell module exist on that machine.

Do not forget that you may need to run Set-ExecutionPolicy Unrestricted on PowerShell to allow script execution.

The script is written by Norman Bauer and you can download it from his blog post.

How does the script work

It will ask you about the name of computer to restore

Validation check: checking if that computer exists in AD first.

If not, then the computer may be in recycle bin, search there and report if it is not there also (

You have Successfully Subscribed!

About The Author

Ammar is a digital transformer, cloud architect, public speaker and blogger.
He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing.
His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional.
Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.